Science and technology

Internet security

A cyber-remedy for poison

WHY should you care about the domain name system (DNS)? This inherently dull bit of the internet's plumbing turns the names used to label a single server or a collection of servers (like www.economist.com, say) into machine-readable numeric addresses (like 64.14.173.20). The rub is that DNS can be easily "poisoned" so that legitimate intelligible addresses redirect users to malicious numeric ones leaving them none the wiser. This can happen within a coffeeshop network or affect an entire country's online operations. As a consequence, web surfers and e-mail readers may fall into the hands of criminals or prying government authorities who can grab passwords and intercept communications, transfer money or imprison dissidents.

Now, though, OpenDNS, a firm that provides free and paid DNS-based services, has come up with a fix. It has released an early, working version of a tool that, in effect, packages a computer's request to translate a name into a number inside a secure wrapper on its way to and from the firm's own DNS servers. This prevents interception and tampering at the most likely weakest points along the way. The tool, called DNSCrypt, is ready for Macs; versions for other platforms are in the works. OpenDNS has also released the source code to be freely used, and hopes the protocol might be widely adopted, and perhaps even built into web browsers and other software.

Normally poisoning DNS responses does not trigger alerts in a browser or other software. But it can be detected when a user wants to establish a secured, or "https", connection. Communication with such secured sites is protected by SSL/TLS certificates. Those certificates, vouched for by third-party certificate authorities (CAs) using a cryptographic signature, ought only to be in the hands of the verified owners of a domain's servers. When a computer on a network with a hacked DNS tries to establish a secure connection with a bogus server, and the impostor fails to serve up the right credential, alarms are sounded by the operating system or client software.

The difficulty at present is that a few supposedly trusted CAs have been compromised: in April an affiliate of Comodo leaked a few certificates, and the Dutch authority DigiNotar let slip as many as 250. An illegitimately issued but valid certificate from a trusted CA combined with the ability to poison DNS allows online mischief makers to pose as secured websites. (Certificates can be revoked, but this typically takes time; following this year's incidents, nearly all operating-system and browser makers released updates with the subverted CAs' certificates flagged as invalid.)

For a suborned certificate to work, a cracker has to both have the legit-seeming certificate and make sure that the domain contained within it produces a DNS response to a malicious server. Imagine a postal carrier with a package that must be signed for being waylaid and told that a recipient has moved and presenting the recipient's signature on a letter to prove it. The mailman blithely hands over the box to the wrong home.

With DNSCrypt in place, however, that particular subterfuge falls flat. The software creates an encrypted tunnel between a user's computer and OpenDNS's servers through which all requests are sent. As a result, an impostor has no way of knowing which domain name a user is requesting a numeric equivalent of. A malicious network might try to block OpenDNS, but that would reveal its machinations. And OpenDNS has another clever trick up its sleeve: it can masquerade its secure connection as a regular web page request. (Securing DNS requests in this fashion pairs neatly with a separate effort to spruce up the web's certificate integrity, called notarisation.)

OpenDNS's boss, David Ulevitch, says his firm decided to tackle the problem because it is in a bully position to provide assistance to those users or firms who want to take extra steps to ensure the integrity of their communications. With 30m users, mostly of its free look-up service, it can spread awareness—and plug its paid offerings.

I can't speak for OpenDNS, but the internet is in the middle of a bit of fast-acting crisis in terms of several different problems that reduce the ability for an individual to assess the integrity of a given secured connection (and worse with unsecured ones).

OpenDNS's DNSCrypt software and proposal doesn't break the Internet for anyone by improving it for those who choose to use it. It is the equivalent of a VPN connection (which handles all services) that a user might employ for corporate security.

DNSSEC, DANE, and other ways to make DNS more robust, secure, and integrated with SSL/TLS security are woefully behind in terms of adoption. And they don't solve all problems, either. We'll likely see a comprehensive set of integrated solutions, opt-in via browsers and operating systems, before there are global options.

Actually I did. I signed up thinking it was actually an 'Open'DNS for the specific reason that I didn't want to automatically be sent to a page full of ads when I accidentally typed an error into my browser bar. Unfortunately Open DNS did the same thing.
But my point really was that you'd expect the Economist to not simply print a PR puff piece without digging deeper.

Actually, Dan Bernstein originally came up with the idea and the algorithms behind what OpenDNS refers to as DNSCrypt; http://dnscurve.org/. However, OpenDNS is to be given credit for using and publicizing it. According to Mr. Bernstein, DNSSEC has several problems, though from what I read the problems the two technologies are trying to solve are somewhat disjoint.